@blamejs/exceptd-skills 0.13.81 → 0.13.83

package/data/atlas-ttps.json

@@ -143,6 +143,8 @@
     "maturity": "high",
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2025-1550",
+      "CVE-2025-8747",
       "CVE-2026-22778",
       "CVE-2026-30615",
       "CVE-2026-39987",
@@ -1259,6 +1261,8 @@
     "exceptd_skills": [],
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2025-1550",
+      "CVE-2025-8747",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
     "description_full": "An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.",
@@ -2784,7 +2788,11 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--a5cc5062-f672-510a-8a4f-a8d1aa7f5024",
-    "is_subtechnique": true
+    "is_subtechnique": true,
+    "cve_refs": [
+      "CVE-2025-1550",
+      "CVE-2025-8747"
+    ]
   },
   "AML.T0011.001": {
     "id": "AML.T0011.001",

package/data/attack-techniques.json

@@ -273,6 +273,7 @@
       "CVE-2024-50050",
       "CVE-2025-1094",
       "CVE-2025-11837",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-34291",
@@ -283,6 +284,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-68664",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -1069,6 +1071,8 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2024-3094",
+      "CVE-2025-1550",
+      "CVE-2025-8747",
       "CVE-2026-45321",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
@@ -2007,6 +2011,10 @@
     "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses.",
     "tactic": [
       "Execution"
+    ],
+    "cve_refs": [
+      "CVE-2024-0132",
+      "CVE-2025-23266"
     ]
   },
   "T1611": {
@@ -2018,11 +2026,13 @@
       "DS0029"
     ],
     "cve_refs": [
+      "CVE-2024-0132",
       "CVE-2024-21626",
       "CVE-2024-3154",
       "CVE-2025-22224",
       "CVE-2025-22225",
       "CVE-2025-22226",
+      "CVE-2025-23266",
       "CVE-2025-38352"
     ],
     "description_full": "Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape from a container to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask) Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) In ESXi environments, an adversary may exploit a vulnerability in order to escape from a virtual machine into the hypervisor.(Citation: Broadcom VMSA-2025-004) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers or virtual machines running on the host, or setting up a command and control channel on the host.",
@@ -4228,7 +4238,11 @@
       "Containers"
     ],
     "stix_id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2025-1550",
+      "CVE-2025-8747"
+    ]
   },
   "T1205": {
     "id": "T1205",

package/data/cve-catalog.json

@@ -11617,6 +11617,424 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Open WebUI's Direct Connections feature lets a malicious external model server inject JavaScript via SSE (CWE-95), leading to account takeover and, with extended permissions, RCE; fixed in 0.6.35."
   },
+  "CVE-2024-0132": {
+    "name": "NVIDIA Container Toolkit TOCTOU Container Escape",
+    "type": "CONTAINER-ESCAPE",
+    "cvss_score": 8.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cvss_note": "NIST CVSS v3.1 base 8.3 (HIGH); NVIDIA scored it 9.0 (CRITICAL). Time-of-check/time-of-use race condition in the container runtime enabling escape to the host.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented by Wiz Research and the NVIDIA advisory: a crafted container image / Dockerfile causes NVIDIA Container Toolkit to execute attacker-controlled code on the host, escaping the container.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Wiz Research. The abused surface is the GPU container runtime that underpins essentially all containerized AI/ML GPU workloads; a single escape crosses the tenant boundary on shared GPU infrastructure.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; a container-runtime escape whose significance is the AI/GPU multi-tenant blast radius.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor/researcher disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Container Toolkit 1.16.1 and earlier (fixed 1.16.2); NVIDIA GPU Operator up to but excluding 24.6.2 (fixed 24.6.2).",
+    "affected_versions": [
+      "NVIDIA Container Toolkit <= 1.16.1",
+      "NVIDIA GPU Operator < 24.6.2"
+    ],
+    "vector": "A TOCTOU race in NVIDIA Container Toolkit's handling of container images / mounts (CWE-367) lets a specially crafted container image escape its container and gain access to the host file system and runtime, enabling code execution on the host. Disclosed by Wiz.",
+    "complexity": "low",
+    "complexity_notes": "Requires the ability to run or schedule a crafted container image on a GPU node (the standard precondition for shared AI compute).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading NVIDIA Container Toolkit to 1.16.2 or later; restart the runtime, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Container Toolkit to 1.16.2 or later (and NVIDIA GPU Operator past 24.6.2). Until then, do not run untrusted container images on GPU nodes."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload.",
+      "NIST-800-53-SC-7": "Boundary-protection control assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure.",
+      "ISO-27001-2022-A.8.22": "Segregation-of-networks/tenancy control does not account for a GPU-runtime escape breaking container isolation between AI workloads.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the GPU container runtime as a privileged isolation boundary requiring rapid patching.",
+      "DORA-Art-9": "ICT protection measures do not model a GPU-runtime container escape as an ICT-risk event crossing tenant boundaries.",
+      "UK-CAF-B4": "System Security objective has no objective for the GPU container runtime as an isolation boundary.",
+      "AU-ISM-1546": "Patch-application control does not single out the GPU container runtime that underpins AI workloads.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the GPU container runtime as an AI-pipeline trust boundary; an escape exposes co-tenant models, data and credentials on shared GPU hosts."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1610",
+      "T1611"
+    ],
+    "rwep_score": 35,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 35, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=30 (NVIDIA Container Toolkit underpins essentially all containerized GPU/AI workloads) minus patch 15. Note: the multi-tenant GPU-cloud blast radius raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-0132",
+    "cwe_refs": [
+      "CWE-367"
+    ],
+    "iocs": {
+      "behavioral": [
+        "NVIDIA Container Toolkit (nvidia-container-cli / runtime hook) loading libraries or executing binaries from a path under a container-controlled mount.",
+        "A container image whose initialization manipulates mounts, symlinks, or LD_* / search-path variables consumed by the GPU runtime.",
+        "Processes from a GPU workload container reading or writing host paths outside the container's intended mounts.",
+        "NVIDIA Container Toolkit at an affected version (NVIDIA Container Toolkit <= 1.16.1) on a node that schedules untrusted or multi-tenant GPU workloads — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-0132 (CWE-367 container escape) and Wiz Research + the NVIDIA security advisory (https://nvidia.custhelp.com/app/answers/detail/a_id/5582)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-0132",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5582"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5582",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5582",
+        "severity": "high",
+        "published_date": "2024-09-26"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-0132",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0132",
+        "severity": "high",
+        "published_date": "2024-09-26"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-367; NIST CVSS 8.3) + Wiz Research + the NVIDIA security advisory. Member of the NVIDIA Container Toolkit GPU-container-escape family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Container Toolkit has a TOCTOU race (CWE-367) that lets a crafted container image escape to the host; fixed in 1.16.2. Ubiquitous in GPU/AI cloud workloads."
+  },
+  "CVE-2025-23266": {
+    "name": "NVIDIA Container Toolkit Init-Hook Untrusted Search Path Container Escape (NVIDIAScape)",
+    "type": "CONTAINER-ESCAPE",
+    "cvss_score": 9,
+    "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD/NVIDIA CVSS v3.1 base 9.0 (CRITICAL, Scope:Changed). An untrusted search path in container-initialization hooks (CWE-426) lets a container run code with elevated host permissions. Disclosed by Wiz as NVIDIAScape.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented by Wiz Research and the NVIDIA advisory: a crafted container image / Dockerfile causes NVIDIA Container Toolkit to execute attacker-controlled code on the host, escaping the container.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Wiz Research. The abused surface is the GPU container runtime that underpins essentially all containerized AI/ML GPU workloads; a single escape crosses the tenant boundary on shared GPU infrastructure.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; a container-runtime escape whose significance is the AI/GPU multi-tenant blast radius.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor/researcher disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Container Toolkit up to and including 1.17.7 (fixed 1.17.8) and NVIDIA GPU Operator up to and including 25.3.0 (fixed 25.3.1).",
+    "affected_versions": [
+      "NVIDIA Container Toolkit <= 1.17.7",
+      "NVIDIA GPU Operator <= 25.3.0"
+    ],
+    "vector": "NVIDIA Container Toolkit's OCI createContainer hook inherits environment variables from the container, including LD_PRELOAD (CWE-426 untrusted search path). A crafted container image sets LD_PRELOAD to a rogue shared library that the privileged hook then loads with root privileges, executing attacker code on the host — a container escape. Disclosed by Wiz (NVIDIAScape); a three-line Dockerfile is sufficient.",
+    "complexity": "low",
+    "complexity_notes": "Requires the ability to run or schedule a crafted container image on a GPU node (the standard precondition for shared AI compute).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading NVIDIA Container Toolkit to 1.17.8 or later (or NVIDIA GPU Operator to 25.3.1 or later); restart the runtime, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Container Toolkit to 1.17.8 or later (or NVIDIA GPU Operator to 25.3.1 or later) per NVIDIA advisory a_id/5659. Until then, do not run untrusted container images on GPU nodes and restrict who can schedule GPU workloads."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the GPU container runtime as managed, escape-bearing software under every AI/ML GPU workload.",
+      "NIST-800-53-SC-7": "Boundary-protection control assumes the container is the tenant boundary; a runtime escape crosses it on shared GPU infrastructure.",
+      "ISO-27001-2022-A.8.22": "Segregation-of-networks/tenancy control does not account for a GPU-runtime escape breaking container isolation between AI workloads.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the GPU container runtime as a privileged isolation boundary requiring rapid patching.",
+      "DORA-Art-9": "ICT protection measures do not model a GPU-runtime container escape as an ICT-risk event crossing tenant boundaries.",
+      "UK-CAF-B4": "System Security objective has no objective for the GPU container runtime as an isolation boundary.",
+      "AU-ISM-1546": "Patch-application control does not single out the GPU container runtime that underpins AI workloads.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the GPU container runtime as an AI-pipeline trust boundary; an escape exposes co-tenant models, data and credentials on shared GPU hosts."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1610",
+      "T1611"
+    ],
+    "rwep_score": 35,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 35, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=30 (NVIDIA Container Toolkit underpins essentially all containerized GPU/AI workloads) minus patch 15. Note: the multi-tenant GPU-cloud blast radius raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-23266",
+    "cwe_refs": [
+      "CWE-426"
+    ],
+    "iocs": {
+      "behavioral": [
+        "NVIDIA Container Toolkit (nvidia-container-cli / runtime hook) loading libraries or executing binaries from a path under a container-controlled mount.",
+        "A container image whose initialization manipulates mounts, symlinks, or LD_* / search-path variables consumed by the GPU runtime.",
+        "Processes from a GPU workload container reading or writing host paths outside the container's intended mounts.",
+        "NVIDIA Container Toolkit at an affected version (<= 1.17.7, or GPU Operator <= 25.3.0) on a node that schedules untrusted or multi-tenant GPU workloads — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-23266 (CWE-426 container escape) and Wiz Research + the NVIDIA security advisory (https://nvidia.custhelp.com/app/answers/detail/a_id/5659)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-23266",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5659"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5659",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5659",
+        "severity": "critical",
+        "published_date": "2025-07-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-23266",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23266",
+        "severity": "critical",
+        "published_date": "2025-07-17"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-426; NIST CVSS 9) + Wiz Research + the NVIDIA security advisory. Member of the NVIDIA Container Toolkit GPU-container-escape family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Container Toolkit loads code via an untrusted search path in its init hooks (CWE-426), letting a crafted container escape to the host with elevated permissions (NVIDIAScape). Affects Container Toolkit <= 1.17.7 (fixed 1.17.8) and GPU Operator <= 25.3.0 (fixed 25.3.1)."
+  },
+  "CVE-2025-1550": {
+    "name": "Keras .keras Model Deserialization Arbitrary Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). Arbitrary code execution at model-load time via unrestricted importlib use in the .keras format parser — no Lambda layer or custom object required, and loading (not calling) the model triggers it.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit / research exists (Huntr writeups; Exploit-DB EDB-52359 for the Keras model RCE): a crafted .keras model archive executes code when loaded.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via Keras security advisories / Huntr. The abused surface is the ML model file format — the canonical AI supply-chain risk where an untrusted model artifact is executable code.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Keras 3.0.0 through 3.7.x (fixed in 3.8.0, which introduced the safe_mode mitigation).",
+    "affected_versions": [
+      "Keras >= 3.0.0, < 3.8.0"
+    ],
+    "vector": "Keras's .keras model-format parser uses importlib.import_module on names taken from the model archive, so a crafted .keras file executes arbitrary Python modules/functions when the model is loaded (CWE-94) — without Lambda layers or custom objects, at parse time. An attacker who can get a victim to load an untrusted model achieves code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. AV:N — loading the model (not calling it) triggers execution.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Keras to 3.8.0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Keras to 3.8.0 or later and never load .keras models from untrusted sources. Note safe_mode alone is insufficient (see CVE-2025-8747)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track ML frameworks' model-loading paths as managed, RCE-bearing software, nor that a first fix (safe_mode) was bypassable.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to ML model artifacts, which are treated as data despite being executable at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-deserialization path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out ML frameworks' model-loading paths.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE, and safe_mode proved necessary-but-insufficient."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Keras/TensorFlow are among the most widely used ML frameworks) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-1550",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python module imports or subprocess execution occurring during keras.models.load_model / Model.load_model of an externally sourced .keras file.",
+        "A .keras archive whose config references importlib targets or built-in module arguments that resolve to code execution.",
+        "Loading model artifacts pulled from a model hub or user upload without provenance verification.",
+        "Keras at an affected version (Keras >= 3.0.0, < 3.8.0) loading untrusted models — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the primary public exploit for CVE-2025-1550 — Exploit-DB EDB-52359 (https://www.exploit-db.com/exploits/52359) and the PoC write-up at https://github.com/io-no/CVE-Reports/issues/2 — plus the Huntr technical analysis (https://blog.huntr.com/inside-cve-2025-1550-remote-code-execution-via-keras-models) and NVD CVE-2025-1550 (CWE-94). The importlib-driven load-time execution is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+      "https://github.com/keras-team/keras/security/advisories",
+      "https://www.exploit-db.com/exploits/52359",
+      "https://github.com/io-no/CVE-Reports/issues/2"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-1550",
+        "url": "https://github.com/keras-team/keras/security/advisories",
+        "severity": "critical",
+        "published_date": "2025-03-11"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-1550",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "severity": "critical",
+        "published_date": "2025-03-11"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; NIST CVSS 9.8) + the Keras security advisory / Huntr research. Member of the ML model-deserialization family — untrusted model artifact equals executable code; CVE-2025-8747 shows the first fix was bypassable.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Keras's .keras model parser runs arbitrary Python via importlib at load time (CWE-94), so loading an untrusted model is RCE; fixed in 3.8.0 (added safe_mode)."
+  },
+  "CVE-2025-8747": {
+    "name": "Keras safe_mode Bypass Model Deserialization Code Execution",
+    "type": "RCE",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 7.8 (HIGH). A bypass of the safe_mode mitigation introduced for CVE-2025-1550: even with safe_mode enabled, a crafted .keras archive passed to Model.load_model can execute code by abusing arguments to built-in Keras modules (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit / research exists (Huntr writeups; Exploit-DB EDB-52359 for the Keras model RCE): a crafted .keras model archive executes code when loaded, bypassing the safe_mode mitigation.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via Keras security advisories / Huntr. The abused surface is the ML model file format — the canonical AI supply-chain risk where an untrusted model artifact is executable code.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Keras 3.0.0 through 3.10.0 (the safe_mode mitigation from 3.8.0 is bypassable through 3.10.0).",
+    "affected_versions": [
+      "Keras >= 3.0.0, <= 3.10.0"
+    ],
+    "vector": "The safe_mode mitigation added for CVE-2025-1550 is incomplete: Model.load_model still deserializes untrusted .keras archives in a way that lets crafted arguments to built-in Keras modules execute code (CWE-502), even when safe_mode is enabled. Loading an untrusted model is therefore still RCE.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. AV:L / UI:R — requires a victim to load the crafted model.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Keras past 3.10.0 to the release that fixes the safe_mode bypass; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Keras past 3.10.0 (to the release that fixes the safe_mode bypass) and treat safe_mode as necessary-but-insufficient: never load .keras models from untrusted sources."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track ML frameworks' model-loading paths as managed, RCE-bearing software, nor that a first fix (safe_mode) was bypassable.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to ML model artifacts, which are treated as data despite being executable at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-deserialization path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out ML frameworks' model-loading paths.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE, and safe_mode proved necessary-but-insufficient."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Keras/TensorFlow are among the most widely used ML frameworks) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-8747",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python module imports or subprocess execution occurring during keras.models.load_model / Model.load_model of an externally sourced .keras file.",
+        "A .keras archive whose config references importlib targets or built-in module arguments that resolve to code execution.",
+        "Loading model artifacts pulled from a model hub or user upload without provenance verification.",
+        "Keras at an affected version (Keras >= 3.0.0, <= 3.10.0) loading untrusted models — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the primary advisory for the CVE-2025-8747 safe_mode bypass — GitHub Security Advisory GHSA-c9rc-mg46-23w3 (https://github.com/advisories/GHSA-c9rc-mg46-23w3), which documents the bypass technique and PoC — plus NVD CVE-2025-8747 (CWE-502) and the Huntr Keras-deserialization research (https://blog.huntr.com/hunting-vulnerabilities-in-keras-model-deserialization). The safe_mode-enabled Model.load_model code execution via built-in module arguments is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-8747",
+      "https://github.com/advisories/GHSA-c9rc-mg46-23w3"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-8747",
+        "url": "https://github.com/advisories/GHSA-c9rc-mg46-23w3",
+        "severity": "high",
+        "published_date": "2025-08-11"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-8747",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8747",
+        "severity": "high",
+        "published_date": "2025-08-11"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 7.8) + the Keras security advisory / Huntr research. Member of the ML model-deserialization family — untrusted model artifact equals executable code; CVE-2025-8747 shows the first fix was bypassable.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Keras safe_mode (added for CVE-2025-1550) is bypassable through 3.10.0: a crafted .keras archive executes code via built-in module arguments even with safe_mode on (CWE-502). The first fix was incomplete."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -369,6 +369,7 @@
       "CVE-2022-48503",
       "CVE-2024-56145",
       "CVE-2025-11837",
+      "CVE-2025-1550",
       "CVE-2025-32432",
       "CVE-2025-37164",
       "CVE-2025-43200",
@@ -1192,7 +1193,8 @@
     ],
     "skills_referencing": [],
     "evidence_cves": [
-      "CVE-2012-1854"
+      "CVE-2012-1854",
+      "CVE-2025-23266"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-AC-6",
@@ -1316,6 +1318,7 @@
       "CVE-2025-59287",
       "CVE-2025-60455",
       "CVE-2025-68664",
+      "CVE-2025-8747",
       "CVE-2026-20131",
       "CVE-2026-20963"
     ],
@@ -2074,7 +2077,8 @@
       "CWE-826"
     ],
     "evidence_cves": [
-      "CVE-2020-17103-REREGRESSION-2026"
+      "CVE-2020-17103-REREGRESSION-2026",
+      "CVE-2024-0132"
     ],
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 to back the MiniPlasma cldflt.sys re-regression entry. CWE-367 is the standard MITRE classification for TOCTOU races; the cldflt.sys HsmOsBlockPlaceholderAccess primitive validates a placeholder file's accessibility once, then is racing against a junction / symlink swap before the kernel acts on the cached decision."